Hello Benjamin,
I'm a bit confused at this point about what the outstanding problem is.
We know one problem is that one device is sending empty events, which is a problem on the sending side (not on the QRadar side).
Is there a second problem whereby some properly formatted events are going to SIM Generic?
Perhaps I should try to summarize my understanding of the situation, please correct anything I have wrong:
1. You have 5 Forcepoint devices, 3 are working fine, so presumably 2 are not. I'm not clear on if the 3 working ones were manually created or autodetected, but it doesn't really matter since they are working. Lets refer to the three working devices as Device 1, Device 2, Device 3.
2. One of the non-working log sources has been manually created as type Forcepoint V-series, the events are in LEEF. My understanding is that this log source is receiving events, but they are Stored because the LEEF events are "empty" (which is expected). Let's call this Device 4 - it has a problem with how it's generating its logs - this cannot be solved on the QRadar side.
3. From the paragraph below, it sounds like the 5th device is sending valid events but they are unparsed and going to SIM Generic instead of a proper log source, but I'm confused by the reference to "the
same log source is sending logs to QRadar as SIEM generic". Is this statement referring to the 5th device, or to Device 4 previously discussed? If it's Device 4, are you saying that some events are empty and going to the manually configured log source as Stored, and some are valid and going to SIM Generic?
"However the customer noticed that the same log source is sending logs to QRadar, as SIEM generic and these log were equally not parsed nor mapped viewing the DSM editor. But i also thought the raw logs will have no values as mentioned above, but when i view the logs from the DSM editor i saw it does have values. This manually created log source has cat=stored."
I also don't understand this statement:
"Note Collin, this was tied to the Log source identifier when setting up the log source on QRadar."
I'm don't know what "this" refers to, or what what you mean by "tied".
The events going to SIM Generic have no matching enabled log source, I know this for sure, so one of three things is happening:
- a log source is missing on the QRadar side
- a log source has its LSI set incorrectly
- a Forcepoint device is sending some events with one syslog header and sending other events with a different header (or no header) and as such some events are being routed to a correct log source but others are going to SIM Generic
Thank you for sending me the sample payloads, but if they are from a working autodetected log source, I don't think they are useful information, because there is nothing wrong with them (i.e. there is no problem to solve). If there are some events going to SIM Generic, those payloads would be useful as I could then tell you what Log Source Identifier they would match to.
Cheers
Colin
------------------------------
COLIN HAY
IBM Security
------------------------------
Original Message:
Sent: Mon February 22, 2021 08:00 PM
From: benjamin Nworah
Subject: DSM Parser
Hello Colin,
Thank you for your input, i have been expecting your input :).
Let me make it a bit clearer based on what i have discovered.
First, i have five forcepoint V-series devices, out of which three of these log sources are parsing and mapping correctly. Let me focus on the one that is not parsing and mapping as seen from the DSM editor, the log source was manually created with the log source type as Forcepoint V-series. On the log source side as mentioned the LEEF format was used as stated in the DSM guide, so on QRadar side from the DSM editor i changed it from JASON to LEEF, also looking at the raw logs they are in LEEF format.
For the manually created log source, the payloads have empty values for the various attributes, like src = , dst =, etc. so i guest something is wrong with the configuration on the log source side, Note, these logs are not parsed nor mapped. I was not surprised after i discovered the raw logs have no values. However the customer noticed that the same log source is sending logs to QRadar, as SIEM generic and these log were equally not parsed nor mapped viewing the DSM editor. But i also thought the raw logs will have no values as mentioned above, but when i view the logs from the DSM editor i saw it does have values. This manually created log source has cat=stored. Note Collin, this was tied to the Log source identifier when setting up the log source on QRadar.
And lastly Colin, I ran "rpm -qa | grep -i dsm" on both Console and EP, i was expecting to see the same DSMs on both appliances, however on my console i saw a lot of DSMs, while none on my EP. You made mentioned that the console deploy the artifacts to the EP, do you mean the same DSMs? or something else.?
Sorry Colin, i can't share the customer payload on this platform, these are sensitive information, but i will share with you on Linkedin.
Thank you. I await your response.
------------------------------
benjamin Nworah
Original Message:
Sent: Mon February 22, 2021 02:56 PM
From: COLIN HAY
Subject: DSM Parser
Hi Benjamin (and Mario and Karl),
There's a lot going on in this thread and some comments are completely accurate so I'm going to comment on several statements and then provide some additional advice.
Benjamin: "I checked the Console, using rpm -qa | grep -i forcepoint i saw the DSM-ForcepointVseries-********noarch. but i cant see this same dsm on my EP."
As Mario indicated, this is expected. DSM RPMs are only installed on the console and the artifacts they deliver are then deployed out to all managed hosts via deploy actions.
Mario: "if the logsource is SYSLOG based, the payload MUST adhere to the RFC164 or RFC5424"
This is not entirely correct. The syslog header on the events must conform to RFC 3164 or 5424 for QRadar to parse the syslog header and use the IP/hostname/identifier in it as the source of the event. This extracted value is used to "route" the event to a configured log source by matching it to a Log Source Identifier. If no matching log source exists, the event will appear in Log Activity associated with a SIM Generic Log log source, as it is a "catch all" bucket for any events which don't match the Log Source Identifier of any available log sources.
If a syslog event does not conform to the RFCs, QRadar will still accept it and attempt to parse it, but in this case the source of the event will default to the IP address from which it was sent.
From QRadar version 7.4.0 onward, there is a Log Source Identifier property/field in the Log Activity event details view, so for events being collected by a SIM Generic log source, you can see what the system considered the source to be - this tells you what Log Source Identifier value to use when creating a log source to handle the event.
Benjamin: "From tcpdump the logs are arriving at the EP, however looking at the log activity tab, i can see the log source with SIM-generic to the EP, not parsed nor mapped. In addition i manually created the same log source, and the logs are not parsed nor mapped despite using the forcepoint v-series DSM"
If you can see the events in tcpdump from the EP and can see the events in Log Activity (regardless of which log source they are associated to), this means the events are being successfully sent to QRadar and read off the network. The fact that the events are being routed to SIM Generic means there is no log source configured with the correct Log Source Identifier. If there was such a log source, the events would be linked to it, even if the associated DSM couldn't parse the events (they would appear with category = Stored).
Benjamin, after you manually created the log source, are the events being linked to it as Stored, or are they still going to SIM generic? If still SIM Generic, it means you need to fix your Log Source Identifier. If they are with the correct log source but are Stored (and not parsed correctly), then there is a parsing problem occurring.
Benjamin: "I am surprised why i am getting another log source auto detected after creating a log source manaully. I thought QRadar is not meant to discover another log source since i have created one already. "
A few questions here:
1. What log source type is the autodetected log source, and what type is the manually created log source (I assume it's Forcepoint V Series, but just want to be sure)
2. Does the autodetected log source have the same Log Source Identifier as the manually created log source?
QRadar will autodetect log source(s) on the same Log Source Identifier as a manually created log source if events are coming into the system which no log source can successfully parse. For example, say you manually create a log source with LSI (Log Source Identifier) 10.10.10.10. Any events originating from that IP will be routed to that log source for attempted parsing. If the log source can successfully parse the events, the events are not considered for autodetection, they simply stay with that log source. However, if they are not parseable by the existing log source, they will appear in Log Activity as Stored events (meaning they were just stored, not parsed) and will also be analyzed for the purpose of autodetection. If enough such events are received which can be parsed by another log source type (DSM), then QRadar will autodetect a log source of that type for 10.10.10.10, with a lower parsing order than the manually created log source (meaning the original log source has higher precedence/priority for any events coming from 10.10.10.10). We do this because it is possible to have multiple log sources for the same LSI - there could be a log source for the OS (Linux, Windows, etc) and then additional log sources for applications, databases, etc running on that OS.
Benjamin: "The IP address on both log sources is the same."
When you say "the IP address is the same", you mean that the LSI is the same? If so this answers one of my questions above. But this suggests that they are not the same log source type, as QRadar does not allow two log sources of the same type to coexist on the same LSI.
Benjamin: "For the manually created log source, the payload is in LEEF format, but the values are empty, like src= dst= usrname=, while the log source that was auto detected, the payload seems fine. i.e. it has values like src=x.x.x.x dst=x.x.x.x usrname=xxx."
Ok so you're saying that both your manually configured log source and the autodetected log source are actively receiving events, and they're both LEEF? Then I assume the LEEF headers must be different, and that one log source (presumably the autodetected one) is parsing events successfully?
If the LEEF attributes for the manually created log source are empty, this could explain why it isn't parsing. Is the LEEF header also empty? This sounds like a configuration problem on the sending side where it's just sending bad data for some events. It would be really helpful to see a payload sample from each log source.
Karl: "that would be true if you disabled autodetection or changed log source parsing order"
Parsing order doesn't actually affect autodetection in any way, it just defines the order in which a set of log sources which share a Log Source Identifier attempt to parse an event which matches their LSI. The first one to successfully parse the events "wins" and any log sources lower in parsing precedence don't get the chance to try. As long as one log source can accept the event, the autodetection engine will never see it, it's only if all log sources reject it that the autodetection engine gets it.
Karl: "does logdata come in with IP in log header? pls double check with tcpdump. If not you need to specify hostname as logsource identifier rather than IP address"
To be clear, you only need to use the hostname if it is present in an RFC3164 or RFC5424-compliant syslog header. If there is no header or if the header is non-compliant, you need to use the IP address for the LSI, and if there is a compliant header, you need to use whatever value is in the header (could be IP address, could be hostname, could be something else, depending on how the sending system is configured)
My advice:
First, answers to some of the questions above would help me provide a clear explanation.
Second, a general bit of wisdom for cases like this is to first determine if the events are even entering the system (that has been done - we know they are), and if so, launch the DSM Editor with the intended log source type and some sample events from Log Activity to check if the intended DSM can handle the event format. The DSM Editor allows you to pass raw events directly to a target DSM, without needing to worry about Log Source Identifier misconfiguration, so it eliminates a variable. If the DSM Editor's Log Activity Preview says that the event format is good, then the problem is almost certainly a routing problem, where the log source's Log Source Identifier is set incorrectly. If the DSM Editor's preview indicates that the DSM cannot handle the events, then this is the root problem that will cause autodetection to fail and manually-created log sources of that type to fail, and it means the 3rd party system is sending data in a format that the DSM doesn't understand, which typically can be solved with a config change on the sending side.
Cheers
Colin
------------------------------
COLIN HAY
IBM Security
Original Message:
Sent: Thu February 18, 2021 10:57 AM
From: benjamin Nworah
Subject: DSM Parser
Hello Experts,
I want to integrate a log source (Forcepoint V series) to QRadar, i am sending my logs to the Event Processor, however the logs are not passed nor mapped.
I checked the Console, using rpm -qa | grep -i forcepoint i saw the DSM-ForcepointVseries-********noarch. but i cant see this same dsm on my EP.
I tried installing this dsm on the EP but it failed , saying dependency DSM-DSMCommon is needed. I am using QRadar 7.4.1. The Force point DSM is also version 7.4.
While i tried to install the dependency on the EP, it failed saying DSM-DSMCommon can only be installed on a console.
I am using yum -y install <dsm_name>
Kindly assist!.
------------------------------
benjamin Nworah
------------------------------